Snort mailing list archives
RE: alert refused to pass
From: Jasmine CHUA <Jasmine.Chua () internationalsos com>
Date: Fri, 27 Feb 2004 18:07:50 +0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 People .. oops! I spotted my mistake. Accidentally put one of the IP address into INTRA_NET site. Sorry! Cheers, Jas - -----Original Message----- From: Jasmine CHUA Sent: Friday, February 27, 2004 5:42 PM To: snort-users () lists sourceforge net Subject: [Snort-users] alert refused to pass *** PGP Signature Status: bad *** Signer: Jasmine Chua <jasmine.chua () internationalsos com> *** Signed: 2/27/2004 5:41:48 PM *** Verified: 2/27/2004 6:00:15 PM *** BEGIN PGP VERIFIED MESSAGE *** Hi all I have a problem here and hope someone can help me see some light. I have a pass rule that goes: pass tcp $INTRA_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /doc/ access"; flow:to_server,established; uricontent:"/doc/"; nocase; reference:cve,CVE-1999-0678; reference:bugtraq,318; classtype:web-application-activity;sid:1000026;rev:1;) However, I am still seeing traffic and the rule does not work. My snort.conf : var INTRA_NET [x.x.x.x/x] var HTTP_SERVERS [y.y.y.y/y] And, I did include a "-o" when running snort. What am I missing here.. :( Jas *** END PGP VERIFIED MESSAGE *** -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.1 iQA/AwUBQD8W9f4wcdIw6CVjEQIdtwCgmdxJRvEI8DB3ivdgZiNm0K6el3MAnj/S JTbl1JcqCeO1NXFlEi9QXmIz =L5LU -----END PGP SIGNATURE----- ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- alert refused to pass Jasmine CHUA (Feb 27)
- <Possible follow-ups>
- RE: alert refused to pass Jasmine CHUA (Feb 27)